Governance of research that uses identifiable personal data
BMJ 2006; 333 doi: https://doi.org/10.1136/bmj.333.7563.315 (Published 10 August 2006) Cite this as: BMJ 2006;333:315- Robert Souhami, emeritus professor of medicine (robert.souhami{at}btinternet.com)
Information contained in routine medical records, disease registries, completed trials, and research programmes is an invaluable resource for research into public health. The secondary use of such data, which were often collected for unrelated purposes, has demonstrated the late effects of treatment, indicated social differences in health care, suggested environmental causes of cancer, and identified epidemics. For years the United Kingdom has been in the forefront of this research, and the NHS has been a unique source of such data.
In most medical research, doctors and investigators have direct contact with patients and can seek spoken and written consent directly. But research reusing previously collected data may encounter considerable difficulties with respect to both consent and anonymity. The study populations may comprise many thousands of people; some patients will have moved or died; the information may need to be linked to two or more databases; and individual identification may be necessary to prevent double counting. Problems may arise regarding the necessity and practicability of obtaining consent, the degree to which the data can be anonymised without losing vital information, and the security of the data at all stages.
Such difficulties concerning this secondary use of identifiable data are now damaging our population based research—an “own goal” at a time when a national system of health records would give us unequalled opportunities for research to improve health. A series in the BMJ, which ends this week, has highlighted these problems and suggested solutions.1–4 A recent report from the Academy of Medical Sciences also provided an analysis and suggested ways forward.5
The problems arise from changes in the law and their interpretation by regulators, and from increasing social and political concerns about encroachment on privacy. In fact, the Data Protection Act, the Human Rights Act, and the common law of confidentiality do not present insurmountable obstacles to the use of identifiable data without consent, provided that there are demonstrable benefits to the public, the risks of identification are low, and there are good reasons why consent cannot reasonably be obtained or the data fully anonymised. The benefit derived must be demonstrably proportionate to the risk involved.4
Researchers must account for the design of their research and justify why either full anonymisation cannot be used or consent cannot be obtained. Researchers may encounter various interpretations of the relevant rules and highly restrictive demands from the different regulatory bodies to which the research may have to be presented, as the Academy of Medical Science's report details.5 These regulatory bodies include the research and development offices of NHS trusts, research ethics committees, the Department of Health's patient information advisory group, and the government's Office of the Information Commissioner. The machinery of assessment is uncoordinated and sometimes contradictory. Researchers may face endless delays and demands for redesign of their proposed studies.
Regulatory authorities and others concerned with research ethics, such as the BMA and General Medical Council, sometimes base their opinions about what is permissible in research using personal data for public benefit on untested and questionable assumptions about what the public would expect, want, or accept. People's sensitivity towards use of data will vary with the disease in question. Furthermore, the general public may have different opinions from patients who have a particular disease and who have a strong desire to see research that will benefit themselves or others. Whose view should prevail?
Research on public and patients' views is scanty and usually lacking in focus. Well designed, large scale studies that focus on specific issues are needed. One such study showed overwhelming support for the inclusion of cancer diagnoses in cancer registries—a legal requirement in some countries, but which GMC guidance in 2000 had indicated was not permissible.6
How should we go forward? The BMJ series and the academy's report make many sound recommendations. Regulating bodies should accept that the law permits the secondary use of data without consent or full anonymisation provided that the likely benefit to the public is demonstrably proportionate to the risk of identification and the consequent distress caused.
The process of assessing research proposals should be simplified and made consistent, and the reasons for decisions should be clearly argued and stated. Decisions made by the Department of Health's patient information advisory group, which has a statutory role, should be publicly available as examples to inform other researchers and the public.
Researchers, regulators, and funders need a single framework of guidance concerning requirements for consent, anonymisation of data, and access to data for different research types, populations, and diseases. There must be assured standards of data security and confidentiality in handling data. Demonstrably high standards are necessary to ensure continuing public confidence in research that uses personal data. The academy report recommends that the UK Clinical Research Collaboration takes the lead in this development.
The public should be informed participants in this form of research. The NHS should make its research mission explicit when people use the service, in the same way that patients attending a teaching hospital are informed about and invited to participate in the professional education that happens there. Obtaining general consent does not remove the obligation to seek specific consent for individual projects, but it provides an opportunity to inform the public of the benefits of such research and the inherent safeguards.
These changes are all achievable. The public, researchers, funders, and regulators should all take part in developing effective mechanisms of research governance using personal data. They all have, after all, a shared aim in supporting research for public benefit. With the development of national electronic care records the UK can become the global front runner in both research and governance.
Footnotes
-
Competing interests RS was the chair of the working party of the Academy of Medical Sciences on the use of personal health data in research.
Analysis and comment p 349